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Yahoo Webmessenger 


Update data sent to individuals logged into Yahoo's Instant 
Messenger service online 

— Online contact status, unread emails in Yahoo inbox 

— Usually small sessions (2-4kB) 
Sporadic collection (30,000 — 60,000 sessions per day) 
Intermittent bursts of collection against contacts of targets 

— Large numbers of sessions (20,000+) against a single targeted selector 

— Not collected against the target (online presence/unread email from target) 


— No owner attribution (metadata value limited to fact-of comms for emails, 
online presence events for buddies) 


Over a dozen selectors detasked in two weeks 
— Because a targets contact was using/idling on Yahoo Webmessenger 
— Several very timely selectors (Libyan transition, Greek financial related) 
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Address Books 


* Email address books for most major webmail are collected as 
stand-alone sessions (no content present*) 


* Address books are repetitive, large, and metadata-rich 
* Data is stored multiple times (MARINA/MAINWAY, PINWALE, CLOUDs) 
e Fewer and fewer address books attributable to users, targets 


* Address books account for ~ 22% of SSO’s major accesses (up 
from ~ 12% in August) 


‘Access (10 Jan 12) Total Sessions Address Books ` Provider Collected Attributed Attributed% 
US-3171 1488453 237067 (16% of traffic) Yahoo 444743 11009 2.48% 
DS-200B 938378 311113 (33% of traffic) Hotmail 105068 1115 1.06% 
US-3261 94132 2477 (3% of traffic) Gmail 33697 2350 6.97% 
US-3145 177663 29336 (16% of traffic) Facebook 82857 79437 95.87% 
US-3180 269794 40409 (15% of traffic) Other 22881 1175 5.14% 
US-3180 (16 Dec 11) 289318 91964 (32% of traffic) TOTAL sarit SEUS 0 
TOTAL 3257738 712366 (22% of traffic) 
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Buddy Lists, Inboxes 


Unlike address books, frequently contain content data 
— Offline messages, buddy icon updates, other data included 
— Webmail inboxes increasingly include email content 


— Most collection is due to the presence of a target on a buddy list where the 
communication is not to, from, or about that target 


NSA collects, on a representative day, ~ 500,000 buddylists and 
inboxes 


— More than 90% collected because tasked selectors identified only as 
contacts (not communicant, content, or owner) 


Identifying buddylists and inboxes without content (or without 
useful content) an ongoing challenge 
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Scenario: E @yahoo 


H Sep 2011 @yahoo.com (tasked S2E, asw 
Iran Quds Force) has his/her Yahoo account hacked by an 
unknown actor, sends out spam email to his/her contact list: 


Active user: 


DNI Parser Webmail Display YAHOO! MAIL EEE 
A e 
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Scenario: __ @yahoo 


@yahoo.com has a number of Yahoo groups in his/her 


contact list, some with many hundreds or thousands of 
members 


e At DS-200B in particular, collection spiked as: 


The initial soam messages were sent (and collected) 

Inboxes of email recipients were viewed by i contact list 
Messages were sometimes viewed, but more often sent as precached 
views on Google and Yahoo (along with inboxes) 

Inboxes where the recipient did not delete the spam message continued to 
be collected every time they were viewed 


Some recipients added @yahoo.com to their address books 
(possibly as a spam defeat?) — address books were collected every time 
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Scenario: __ @yahoo 


DS-200B Collection By Day - 11 Sep - 24 Sep (in MB) 


120000 


100000 J 
80000 
60000 
40000 
20000 
S N » N w x N S N 
S P x» Ca SD $ À ` SÌ 


DS-200B Collection By Hour — 18 Sep — 23 Sep (in MB) 
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Scenario: __ @yahoo 


@yahoo.com emergency detasked from DS-200B and 
US-3171 at 13:04Z on 20 Oct 


Numerous first-order address books and inboxes collected 


meant tasked selectors on address books or buddy lists of 
contacts of @yahoo.com also affected: 


- @yahoo.com and | | @ gmail.com emergency 
detasked off US-3171 at 13:10Z on 20 Sep 


Memorializing to PINWALE only address books and inboxes 
owned by target selectors would have reduced PINWALE 
volumes 90%+ 

— Site XKEYSCOREs would buffer data for SIGDEV purposes 

— Metadata from known owner address books and inboxes stored regardless 
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Mobile IMAP 


e IMAP protocol used by email clients 20 casini 


to fetch mail from server(s) pee 
à | | A3 EXAMINE INBOX 
* Not designed for devices with A4 LIST "" INBOX 


AS LIST "" "INBOX.5" 


intermittent connections (i.e. mobile 26 srarca since 15-Aug-2011 UNDELETED ALL 


A7 FETCH 17 (ENVELOPE INTERNALDATE RFC822.SIZE 


phones) A8 FETCH 17 (BODY.PEEK [HEADER] ) 
AS CLOSE 
* Android implementation in TE 
particular uses a lot of bandwidth 
Date Erom To Subject Attachments 
Oa re _ _ ES comin n 
sè Display Information: Email B Send to v 
Subject: 2nd Payment Reminder DR 
Foo: NAR 
r SE 
Date: Fri Aug Sa 
Text Size E Œ View Full Screen di 


DNI Parser: Document or message hes no date 
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